New zero-day Java 7 vulnerability being exploited in the wild

(LiveHacking.Com) – US-CERT has issued a security advisory about an unspecified vulnerability in the most up to date version of Java ( Java 7 Update 10) that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. According to TrendLabs the zero-day exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK). Brain Krebs has noted that the author of the Blackhole exploit kit is calling the new exploit a ‘New Year’s Gift,’ to customers who use Blackhole.

Initial analysis of the exploit shows that it is probably bypassing certain security checks tricking the permissions of certain Java classes like in CVE-2012-4681 . According to US-CERT, the exploit works by leveraging unspecified vulnerabilities involving Java Management Extensions (JMX) MBean components and sun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing.

The only good bits of news are that Java 6 doesn’t seem to affected and that since update 10 of Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

US-CERT (and others) where alerted to the existance of the zero-day vulnerability by a blogger named Kafeine at the site Malware don’t need Coffee.

“We can confirm that this is a new vulnerability,” said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, in an email to Computerworld. “We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we’re currently analyzing whether other older updates are vulnerable.”